如何解决简单的HWID锁上的蹦床挂钩GetVolumeInformationW
我正在尝试使用蹦床挂钩将GetVolumeinformationW挂钩在简单的HWID锁上,以返回序列号的特定值(123456789)。当我注入dll时,程序立即崩溃。我也尝试从程序86文件夹启动hwid锁定,但是无论如何它都会崩溃。我尝试了SendBoxMessageA,SwapBuffers上的蹦床挂钩,它可以完美运行。 这是HWID锁定代码。
#include <iostream>
#include <Windows.h>
#include <tchar.h>
int main()
{
std::cout << "Checking...\n";
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
if (GetVolumeinformation(
_T("C:\\"),volumeName,ARRAYSIZE(volumeName),&serialNumber,&maxComponentLen,&fileSystemFlags,fileSystemName,ARRAYSIZE(fileSystemName)
))
{
Sleep(1000000);
DWORD acceptedSerial = 123456789;
if (serialNumber == acceptedSerial) {
std::cout << "Welcome to my app!" << std::endl;
}
else {
std::cout << "You are not in the system!" << std::endl;
Sleep(4000);
return 0;
}
}
}
这是dll的代码
#include <iostream>
#include <Windows.h>
#include <tchar.h>
bool Detour32(char* src,char* dst,const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src,len,PAGE_EXECUTE_READWRITE,&curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src,curProtection,&curProtection);
return true;
}
char* TrampHook32(char* src,const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0,len + 5,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway,src,len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src,dst,len);
return (char*)gateway;
}
typedef BOOL(__stdcall* tGetVolumeinformation)
(
LPCWSTR lpRootPathName,LPWSTR lpVolumeNameBuffer,DWORD nVolumeNameSize,LPDWORD lpVolumeSerialNumber,LPDWORD lpMaximumComponentLength,LPDWORD lpFileSystemFlags,LPWSTR lpFileSystemNameBuffer,DWORD nFileSystemNameSize
);
tGetVolumeinformation oGetVolumeinformation = nullptr;
BOOL __stdcall hkGetVolumeinformation
(
LPCWSTR lpRootPathName,DWORD nFileSystemNameSize
)
{
*lpVolumeSerialNumber = 0x123456789;
return oGetVolumeinformation
(
lpRootPathName,lpVolumeNameBuffer,nVolumeNameSize,lpVolumeSerialNumber,lpMaximumComponentLength,lpFileSystemFlags,lpFileSystemNameBuffer,nFileSystemNameSize
);
}
DWORD WINAPI Thread(HMODULE hModule)
{
//Create Console
AllocConsole();
FILE* f;
freopen_s(&f,"CONOUT$","w",stdout);
std::cout << "HWID Unlock\n";
// Hook
oGetVolumeinformation = (tGetVolumeinformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"),"GetVolumeinformationW");
oGetVolumeinformation = (tGetVolumeinformation)TrampHook32((char*)oGetVolumeinformation,(char*)hkGetVolumeinformation,5);
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
GetVolumeinformation(_T("C:\\"),ARRAYSIZE(fileSystemName));
std::cout << serialNumber << std::endl;
//
fclose(f);
FreeConsole();
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr,(LPTHREAD_START_ROUTINE)Thread,hModule,nullptr));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
有人可以帮助我吗?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。